Scribd
Upload
39 views24 pages

NGFW Architecture

Uploaded by

anhtuan29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
39 views24 pages

NGFW Architecture

Uploaded by

anhtuan29
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Next-Generation Security

Platform and Architecture


EDU-210

PAN-OS® 8.0

Courseware Version A
Agenda
§ Security platform overview

§ Next-generation firewall architecture

§ Zero Trust security model

§ Public cloud security

§ Firewall offerings

2 | ©2017, Palo Alto Networks, Inc.


Security Platform Overview

3 | ©2017, Palo Alto Networks, Inc.


Cyber Attack Lifecycle
Command Act on
Reconnaissance Weaponization Delivery Exploitation Installation & Control Objective

Stop the attack at any point!

4 | ©2017, Palo Alto Networks, Inc.


Next-Generation Security Platform
Next-Generation Firewall Threat Intelligence Cloud
§ Identifies and inspects all traffic § Gathers potential threats from network
and endpoints
§ Blocks known threats
§ Analyzes and correlates threat
§ Sends unknown to cloud
intelligence
§ Extensible to mobile and virtual
§ Disseminates threat intelligence to
networks
network and endpoints

Advanced Endpoint Protection

§ Inspects all processes and files


§ Prevents both known and unknown exploits
§ Integrates with cloud to prevent known and
unknown malware

5 | ©2017, Palo Alto Networks, Inc.


Next-Generation Security Platform (Cont.)
§ Panorama: Management and
Reporting

§ AutoFocus: Threat intelligence that


can be acted on

§ Aperture: Software-as-a-service
(SaaS) security

§ GlobalProtect: Extend platform


externally

6 | ©2017, Palo Alto Networks, Inc.


Next-Generation Firewall Architecture

7 | ©2017, Palo Alto Networks, Inc.


Palo Alto Networks Single-Pass Architecture
Single pass:
§ Operations per packet:
• Traffic classification with App-ID
technology
• User/group mapping
• Content scanning – threats, URLs,
confidential data
§ One single policy (per type)

Parallel processing:
§ Function-specific parallel processing
hardware engines
§ Separate data/control planes

8 | ©2017, Palo Alto Networks, Inc.


Palo Alto Networks Firewall Architecture
Control Plane
Control Plane | Management
MANAGEMENT CPU RAM STORAGE Provides configuration, logging, and report functions
configuration | logging | reporting
on a separate processor, RAM, and hard drive

Dataplane

SINGLE RAM Signature Matching


SIGNATURE MATCHING PASS
exploits (IPS) | virus | spyware | CC# | SSN PATTERN Stream-based, uniform signature match including
MATCH FPGA vulnerability exploits (IPS), virus, spyware, CC#, and
SSN

RAM Security Processing


SECURITY PROCESSING REPORT
AND High-density parallel processing for flexible hardware
App-ID | User-ID | URL match ENFORCE
policy match | app decoding | SSL/IPsec | decompression POLICY acceleration for standardized complex functions
CPU

Network Processing
RAM
NETWORK PROCESSING Front-end network processing, hardware-accelerated
flow control | route lookup | MAC lookup | QoS | NAT per-packet route lookup, MAC lookup, and NAT
FPGA
DATA INTERFACES

9 | ©2017, Palo Alto Networks, Inc.


Zero Trust Security Model

10 | ©2017, Palo Alto Networks, Inc.


Data Flows in an Open Network

North-
South
Traffic

East-West Traffic
11 | ©2017, Palo Alto Networks, Inc.
Data Flows Secured by Palo Alto Networks Solution

12 | ©2017, Palo Alto Networks, Inc.


coordinated Threat Prevention
Integrated Approach to Threat Prevention Act on
Delivery Exploitation Installation C2 Objective
Block high risk Block C2 on non- Prevent exfiltration
App-ID applications standard ports and lateral movement

URL Block known Block malware,


Filtering malware sites fast-flux domains

Prevent lateral
Vulnerability Block the exploit
movement

Anti- Block spyware,


spyware C2 traffic

Prevent lateral
AV Block malware
movement
Monitor allowed
Prevent malicious
Traps processes and Prevent the exploit
.exe from running
executables
Prevent drive-by Prevent exfiltration
File Blocking downloads and lateral movement

DoS/Zone Prevent evasions Prevent DoS attacks

Detect unknown Detect new


WildFire Identify malware
malware C2 traffic

13 | ©2017, Palo Alto Networks, Inc.


Public Cloud Security

14 | ©2017, Palo Alto Networks, Inc.


Public Cloud Security Overview
§ Protect your public cloud deployment just as you would your data center.

Hybrid Segmentation Internet Gateway Remote Access


Securely deploy applications
Separate data and applications Protect internet-facing Consistent policy on the network,
in your data center or in the
for compliance and security applications in the cloud, on devices
cloud

Automated Deployment and Centralized Management


§ Automate firewall deployments with bootstrapping; dynamically update Security policy to ensure security keeps pace with workload
changes

§ Manage all aspects of the VM-Series – from configuration to policy to reporting – from a centralized location

§ Enforce policy consistency across both virtualized and physical form-factor firewalls

15 | ©2017, Palo Alto Networks, Inc.


Hybrid Cloud: Quick Way to Get Started
§ Extend the corporate data center into the public cloud:
• Application dev/test/product projects are common…

§ IPsec VPN protects the connection and contents.

§ VM-Series NGFW features protects the content.


Dev Subnet
10.0.1.0/24

DC-FW1
IPsec VPN
DC-FW2

QA Subnet
10.0.2.0/24

16 | ©2017, Palo Alto Networks, Inc.


Application Segmentation: Expands upon Hybrid
§ Maintain separation between data and applications for security and compliance

§ Control which applications can communicate with each other

§ Protect traffic within the VPC/vNet and traversing each subnet

§ Prevent threats from moving laterally


Dev Subnet
10.0.1.0/24
DC-FW1
IPsec VPN
DC-FW2
QA Subnet
10.0.2.0/24

Prod Subnet
10.0.3.0/24

17 | ©2017, Palo Alto Networks, Inc.


Internet-Facing Applications: Leverage Perimeter Controls
§ Traditional perimeter security strengths apply:
• Visibility: Classify all traffic based on application identity
• Control: Enable those applications you want, deny those you don’t
• Protect: Block known and unknown threats
• Authorize: Grant access based on user identity

Edge Subnet
10.0.4.0/24

Server Subnet
10.0.5.0/24

18 | ©2017, Palo Alto Networks, Inc.


GlobalProtect: Extend Security to All Users/Devices

Public
Public cloud
cloud

§ Leverage scale and availability of the public cloud to reach global employees

§ Extend corporate Security policy to remote users

19 | ©2017, Palo Alto Networks, Inc.


Firewall Offerings

20 | ©2017, Palo Alto Networks, Inc.


Physical Platforms
Next-Generation Firewalls PA-5200 Series

PA-5000 Series

PA-3000 Series

PA-800 Series

PA-500

PA-220
PA-200 PA-7000 Series

Panorama

M-100 M-500/WF-500

21 | ©2017, Palo Alto Networks, Inc.


VM-Series Models and Capacities (PAN-OS® 8.0)

Performance and Capacities VM-700 VM-500 VM-300 VM-100 VM-50


Firewall throughput (App-ID enabled) 20Gbps 10Gbps 4Gbps 2Gbps 200Mbps
Threat prevention throughput 10Gbps 5Gbps 2Gbps 1Gbps 100Mbps
Max sessions 10,000,000 2,000,000 800,000 250,000 50,000
Dedicated CPU cores 2, 4, 8, 16 2, 4, 8 2, 4 2 2

Dedicated memory (minimum) 48GB 16GB 9GB 6.5GB 4.5GB

Dedicated disk drive capacity (minimum) 60GB 60GB 60GB 60GB 32GB

22 | ©2017, Palo Alto Networks, Inc.


Questions?

23 | ©2017, Palo Alto Networks, Inc.


Secures the Network

You might also like